22.3.3 Configuring Administration Console as a Remote Audit Server

You can configure Administration Console as a remote audit server for syslog. By default, audit logs are sent to /var/log/NAM_Audits.log. rsyslog provides various options and macros for Administration Console to accept logs over UDP and TLS over TCP.

Perform the following steps to use Administration Console as a remote audit server using UDP and TLS over TCP:

Communication using UDP

To load the required module for rsyslog for receiving messages using UDP, perform the following steps:

  1. Edit nam.conf and namMultiTarget.conf of Administration Console working as the remote audit server and add the following entries:

    $ModLoad imudp # load UDP module
$UDPServerRun <port number> # UDP connection port

    For information about how to modify a file, see Modifying Configurations.

  2. Restart the rsyslog service.

Communication using TLS over TCP

  1. Add the following macros to nam.conf and namMultiTarget.conf of Administration Console working as the remote audit server:

    $DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile <remote peer's CA certificate filepath>
$DefaultNetstreamDriverCertFile <public key certifcate filepath>
$DefaultNetstreamDriverKeyFile <private key file>
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode <mode>
$InputTCPServerStreamDriverPermittedPeer <permitted peer ID>

    In $InputTCPServerStreamDriverAuthMode <mode>, you can specify one of the following authentication modes for validating a remote peer:

    • anon: Anonymous authentication. It does not allow authenticating a remote peer.

    • x509/certvalid: Certificate validation only.

    • x509/name: Certificate validation and subject name authentication.

    In $InputTCPServerStreamDriverPermittedPeer <permitted peer ID>, specify remote peer’s identifier. Connections from only these peers are accepted. You can set PermittedPeer to a single peer or an array of peers of type IP or name, depending on the TLS certificate. For example,

    Single peer: InputTCPServerStreamDriverPermittedPeer ”127.0.0.1”

    Array of peers: InputTCPServerStreamDriverPermittedPeer [“test1.ex.net”,”10.1.2.3”,”*.ex.net”]

    If array syntax does not work, configure each entry individually.

    A sample nam.conf file:

    $DefaultNetstreamDriverCAFile /tmp/client_CA.pem
$DefaultNetstreamDriverCertFile /tmp/server_Cert.pem
$DefaultNetstreamDriverKeyFile /tmp/Server_Key.pem
$ModLoad imtcp # load TCP listener
$InputTCPServerRun 1290
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer 164.100.150.10
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
local0.* -/var/log/NAM_audits.log;ForwardFormat

  2. Restart the rsyslog service.